Don’t let the ongoing “crypto winter” lull you into a false sense of cybersecurity. Even as cryptocurrencies lose value — and some crypto companies file for bankruptcy — cryptojacking still poses an urgent threat to enterprises across industries, from financial services to healthcare to industry 4.0 and beyond.
Broadly speaking, cryptojacking is defined as the unauthorized and illegitimate use of an unwitting party’s compute and/or server power by a malicious actor to mine cryptocurrencies. While everyone with an internet connection is technically vulnerable to cryptojacking, most attacks target enterprises with significant compute resources, especially those with an outsized number of third-party relationships. (More on that last part in a bit.) And if a malicious actor can breach your cybersecurity defenses for cryptojacking purposes, they can breach them for any number of nefarious reasons.
Under normal conditions, mining for cryptocurrency is hugely expensive because doing so requires immense electricity and sophisticated hardware. Cryptojacking cuts out the overhead for malicious actors, so whatever they’re able to mine turns into pure profit.
For legitimate cryptocurrency owners, the losses associated with “crypto winter” have been catastrophic. But for cryptojackers, “crypto winter” just means a little less free money than before. The margins remain enormously high, and the incentives haven’t changed. Nefarious actors still need access to capital that is largely untraceable — so even amidst the crash, cryptocurrencies remain an important asset to them. In other words, don’t expect cryptojacking attacks to abate any time soon.
Who is vulnerable to cryptojacking — and why?
The short answer: everyone. The slightly longer answer: companies that are particularly dependent on third parties for their core business. Whenever a nefarious actor is trying to breach your cybersecurity defenses — be it a member of a ransomware gang or a cryptojacker (which sometimes come in the same form) — they’ll always look for your weakest link. Oftentimes, the weakest link is the trust you’ve bestowed upon a third party, or multiple third parties.
Unsurprisingly, those third parties may also have third parties that they trust, but with whom you have no direct relationship. Because so many enterprises are built on these interconnected networks of trust — and sometimes labyrinthine third-party relationship dynamics — weak points tend to cascade outward, making it easier for a cryptojacker to breach your cybersecurity defenses.
A real world example of the potential threat third party relationships pose to enterprise security
A whopping 70 percent of financial companies that experienced data breaches reported that their particular breach was caused by granting too much privileged access to third-party users. In those instances, more than half didn’t investigate the security and privacy practices of third parties before doing business with them. As alarming, 46 percent don’t keep an active and comprehensive inventory of every third party they’ve given access to privileged information. It’s hard to know who your enemy is when you don’t even know who your partners are.
Are there steps you can take to avoid being cryptojacked?
Absolutely. It’s always a good idea — and never a bad time — to conduct a risk assessment to determine your enterprise’s vulnerabilities, especially its weakest link. Again, the odds are that it will be a third-party relationship. From there, you can deploy endpoint protections to detect if a cryptominer is running on an individual or server endpoint, which will help mediate the problem. (Of course, it’s always better to catch these problems before being infiltrated. But better late than never!)
Enterprises can also approach third-party relationships with a functional zero trust policy, which includes strong identity verification; extreme password and secret management; and granting privileged access to explicitly authorized users. In addition to zero trust, enterprises can implement systems that only grant users access to systems when they absolutely need that access. This eliminates rule creep and permissions creep, and ensures that everyone only has access to what they need and nothing more.
Cryptojacking and other Web 3 attacks aren’t going away any time soon — but that doesn’t mean your enterprise is defenseless either.
Note — This article is written and contributed by Joel Burleson-Davis, SVP Worldwide Engineering, Cyber at Imprivata.